CVE-2010-1187: Linux kernel TIPC NULL Pointer Dereference

This vulnerability was reported by Neil Horman and it affects Linux kernel 2.6.33 and probably other releases too. The problem appears in Transparent Inter-Process Communication (TIPC) code and specifically in the code below as seen at net/tipc/core.c file.

So, after initializing ‘tipc_random’ with random bytes it will set ‘tipc_mode’ to ‘TIPC_NODE_MODE’ which means that communication is allowed only for its own address. This is done because the ‘tipc_net’ structure isn’t initialized yet and as we can find at net/tipc/net.c it’s set to NULL like this:

struct network tipc_net = { NULL };

So even though the user should not be able to send any messages to other address there is nothing to stop him from doing so. A user can simply create an ‘AF_TIPC’ socket and send a datagram before the kernel module for TIPC enters its network mode. If this happens, then the code shown below will be executed:

But since the ‘tpic_net’ pointer is still NULL this will lead to accessing ‘(NULL).zones’ offset which in turn results in a kernel OOPS because of the NULL pointer dereference. To fix this the global ‘tipc_net’ pointer was changed like this:

This will make the previous pointer pointing to an array with the specified number of elements which are all of them initialized to 0/NULL so that ‘tipc_net’ is not pointing to NULL anymore. In addition to this, by doing this there is no need for initialization routines since the space is already allocated in the new static array. For this reason the net_init() was removed: